Navigation Menu

Wednesday, 4 September 2013

Event ID 5156 Filtering Platform Connection - Repeated security log

I have seen more number of logs with the Event ID 5156 while working with File System Auditing where this event is being repeatedly logged on my server 2008 R2 machine.

See the event in this picture

After I have analyzed for the reason of Event ID 5156 is being repeatedly logged, found the below solutions to stop the Event ID 5156 from being logged continuously

Event ID 5156 should occur if the Success or Failure audit was enabled for Filtering Platform Connection in Advanced Audit Policy Configuration setting which is available from Windows 2008 R2 and later versions.

Category: Object Access

Subcategory: Filtering Platform Connection

You will get the following Event IDs if the Filtering Platform Connection is enabled.

5031 - The Windows Firewall Service blocked an application from accepting incoming connections on the network.5154 - The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.5155 - The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.5156 - The Windows Filtering Platform has allowed a connection5157 - The Windows Filtering Platform has blocked a connection5158 - The Windows Filtering Platform has permitted a bind to a local port.5159 -The Windows Filtering Platform has blocked a bind to a local port.

We should disable the audit policy setting Filtering Platform Connection in Advanced Audit Policy Configuration to stop this event. We can do it in the following ways.

Possible Solution: 1- using Auditpol exe

If you would like to get rid of this Filtering Platform Connection event 5156 then you need to run the following commands in an elevated command prompt (Run As Administrator):

4. Check the audit setting Audit Filtering Platform Connection If it is configured as Success, you can revert it Not Configured and Apply the setting.

Possible Solution: 3 - using Group Policy Object

If the setting is inherited from any other GPO to Local Security Policy,You need to edit the specific GPO which is configured with the setting Audit Filtering Platform Connection. You can find the GPO by running Resultant Set of Policy.

1. Press the key Windows + R

2. Type command rsop.msc, click OK.

3. Now you can the below result window. Then go to the node Computer Configuration ->Windows Settings ->Local Polices-> Audit Policy.

4. Now, you can see the Source GPO of the setting Audit Object Access which is the root Setting for Audit Filtering Platform Connection.

5. Then you can edit the Audit Filtering Platform Connection of corresponding GPO by running GPMC.msc command through Run window or command window.

Note:You need run the command GPUpdate /force after every changes to apply group policy to system immediately.